Subscribe to receive notifications of new posts:

The latest on attacks, traffic patterns and cyber protection in Ukraine

2022-12-12

4 min read
The latest on attacks, traffic patterns and cyberprotection in Ukraine

On February 24, 2022, when Russia invaded Ukraine, Cloudflare jumped into action to provide services that could help prevent potentially destructive cyber attacks and keep the global Internet flowing. In the nearly 10 months since that day, we’ve posted about our actions, network traffic patterns, cyberattacks and network outages we’ve seen during the conflict.

During Impact Week, we want to provide an update on where things currently stand, the role of security companies like Cloudflare, and some of our takeaways from the conflict so far.

Cyberattacks on Ukrainian infrastructure and Cloudflare’s assistance

Since the time of the invasion, Ukrainian government and civilian infrastructure has come under a barrage of DDoS and other common cyberattacks. Although the public perception has been that cyberattacks have not played a significant role in the conflict, cyberspace has been an active battlefield. Ukrainian websites saw a significant spike in application layer firewall mitigated attacks in March 2022 and another spike in mid-September. Ukrainian sites have also seen a significant increase in the percentage of requests that were mitigated as attack traffic on a daily average, when compared with Q4 2021.  Those spikes are shown below, using a seven-day rolling average:

Note: our Firewall blocks malicious HTTP requests: e.g. L7 DDoS requests, hacking attempts, vulnerability scanning, brute force login attempts

Nor have the attacks abated as the conflict has worn on. Although we’ve seen a reduction in firewall mitigations, in recent months we have seen spikes in DDoS attacks. On a number of occasions in September and October, DDoS attack traffic amounted to more than 80 percent of all traffic to sites on the .ua top level domain, as shown in the chart below.

Cloudflare was proud to play a role in ensuring that these types of widespread DDoS and other cyberattacks did not disrupt the Ukrainian Internet. Cloudflare has offered free services and support to a wide variety of Ukrainian government and infrastructure providers to help address those attacks since the beginning of the conflict. We currently protect approximately 130 Ukrainian domains in this program, run by more than 50 different Ukrainian government agencies and companies.

Many nonprofit groups trying to operate in the region by helping refugees, documenting war crimes, sharing information and providing local services have also had to contend with cyberattacks. We expedited the onboarding of these groups onto Cloudflare’s Project Galileo, Cloudflare’s project to provide free services to vulnerable non-profits and human rights defenders. Since the invasion, we have onboarded 54 organizations in Ukraine to Project Galileo. Overall, we protect 79 organizations in Ukraine. We currently protect 130 organizations in the broader region, with 77 organizations (including those in Ukraine) onboarded to the project during the crisis.

New models of security

As Russian troops advanced deep into Ukraine earlier this year, the physical security of Ukrainian Internet infrastructure became as much a concern as the digital security. Companies and data centers operating in the region had to plan for possible degradation of the infrastructure through power outages or bombings as well as the possibility that Russian forces might get physical access to their offices or equipment. This reality raised both security and data destruction concerns.

Cloudflare took steps to secure our infrastructure in the region, configuring our machines to brick themselves if they lost power or connectivity. We carefully monitored activity in the region, ensuring that we would be aware of any notable changes in circumstances. We also secured our customers’ data, moving customer key material out of our data centers in the region. We’ve continued to operate our services in the region with Keyless SSL.

The Russian occupation of Ukraine highlighted the importance of having networks and digital defense systems that extend beyond a single country’s borders. Ukrainian government agencies and companies looking to make sure they could continue to provide vital services migrated their data to public clouds, allowing them to move it to safety in data centers throughout Europe. Cloudflare’s massive global network allowed those same entities to easily mitigate cyberattacks in the country where the attacks originated, rather than battling massive influxes of traffic and attacks inside Ukraine.

The possibility that Russian troops would get physical access to work locations also brought into sharp view the need for entities to have granular control over access to internal systems and applications. Companies needed to be able to quickly and efficiently withdraw access for those who might have remained in the region. Cloudflare saw a spike in demand for our zero trust solutions, prompted by those concerns about possible lateral movement in the event of a breach, as well as the need for VPN availability and performance.

Internet disruptions and routing as tools in armed conflict

The world has been watching as the Ukrainian Internet has become a tool in the ongoing conflict. Internet shutdowns in war torn areas disrupt critical communications, making it challenging for people to learn about the safety of their loved ones and to disseminate information about events on the ground to the world.

At Cloudflare, we have tracked dozens of Internet outages in Ukraine since the beginning of the conflict, caused by power outages and Russian attacks. We continue to publicly report on outages in the Cloudflare Radar Outages Center.

Some of these outages also raise significant questions. On September 1, 2022, for example, the day the International Atomic Energy Agency (IAEA) inspectors arrived at the Zaporizhzhia Nuclear Power Plant, there were Internet outages in two local ISPs that service the area. Those outages lasted until September 10, as shown in the charts below.

The Russian military also took advantage of its occupation of parts of Ukraine to manipulate Internet access. In multiple instances, they took charge of local telecoms, forcing the rerouting of Internet traffic through Russia or even a complete change of traffic to a Russian Internet service provider. Between May 1, 2022, and September 1, 2022, Cloudflare tracked more than 20 networks whose routing was altered to a Russian Internet service provider. Eleven of those networks had routes altered between May 29, 2022, and May 31, 2022, just as Ukraine announced its counteroffensive in Kherson. Those actions resulted in imposition of the same Russian controls, surveillance, and censorship as the Internet within Russia, giving Russia significant control over the information environment in the affected areas.

What’s next?

We can’t predict how long the war in Ukraine will last, but we do know that the need for a secure and reliable Internet there is as critical as ever. At Cloudflare, we’re committed to continue providing tools that protect critical services from cyber attack, improve security for those operating in the region, and share information about what is happening with the Internet inside Ukraine.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Impact WeekUkraine

Follow on X

Cloudflare|@cloudflare

Related posts

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...